
Hacking the Corporate Mind 


Using Social Engineering Tactics to Improve 
Organizational Security Acceptance 


James Philput 


;vjl!TU 









Why Should You Listen To Me? 


Aside from the fact that you paid to be here... 

15 years worth of IT experience 

10 years as an infosec geek 
— Primarily network defense 

Currently Sr. Information Assurance Analyst for lAP - 
Information Assurance Professionals 

Technical reviewer for SANS 

Past author and instructor for SANS 

Past work in the telecommunications, education and 
medical fields as well as work with state and federal 
government organizations 





Engagement: Improve Organizational 

Acceptance of Infosec ’ 


• Step 1 - Define the problem 

• Step 2 - Define the rules of engagement 

• Step 3-Attack! 

• Step 4 - Lessons Learned 





Defining The Problem 


Infosec is struggling 

• With the users 

• With the budget 

• With the bad guys 

Organizations are leaking 

• Financial Data 

• Trade Secrets 

• Embarrassing Memos 


The bad guys are winning 
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How Can We Fix This? 


Infosec and the Users need to cooperate 






Know Your Enem y, Know Yourself 


• The largest obstacle to acceptance is: 
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Ihfosec is an Obstacle 


Numerous articles on how to improve IT 

• Technical Press 

• Industry Blogs 

• Mailing Lists 


Commenters Routinely Post Quotes Like These 


• "Security needs to get out of the way" 

• "Just let me work" 

• "The geeks are mean" 

• "IT is unapproachable" 
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The Users 


"Note to Self: They are people not users" 

- Lenny Zeltser 

Not fully understanding IT is not a crime 
• Though it can be really annoying 

They're not geeks 
They're not dumb 

They are frequently experts in their own fields 
Stop pronouncing "user" with a leading "L" 
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Business Need Trumps Security 


This is the hardest thing for defense geeks to accept 

• Changing these perspectives is daunting but doable 

• The dollar cost of a breach goes up when you factor in 
reputation 

• Damage to corporate image is expensive 

• Damage to executive reputations is also pricey 

• Ask for it in writing 

• Ask how a breach will play in the media 

• Be very careful with this one 

• In some cases a risk MUST be accepted in order to do 
business 





Infosec Need s Champions 


• Modern infrastructure challenges 

• Consumerization 

• Cloud Computing 

• Fluid Network Boundaries 

• Changing Threat Landscape 

• How do we make the users care? 

- Without the use of power tools 





Who Are You? 








What Do You Want? 


• A chance to make things better 

• The ability to make the network safer 

• The ability to prevent information from being 
stolen 

• To protect the work, lives and livelihoods of 
the people using our networks 
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• Step 1 - Define the problem 
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What is an Infosec Geek to do? 


• We can't hide from the users 

• We can't penalize the group for the actions of 
a few 

• We can't be the traffic cops of the 
organization 

• We can use our own skills to gain acceptance 

• Problem Solving 

• Social Engineering 





Talk you I ntrov erted Bastards! 


• Communication is the key 

• Learn how to make small talk 

• Attend office functions 

• Many users accept limitations that they 
understand 

• Simply talking to your users can build bridges 

• For many users lntroverted=Mean 
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Put On “Your Social Engineering Hat 


• Start paying attention to your users' habits 

• Find the best way to infiltrate each target 
group 

• Learn how to speak to them the way they 
speak to each other 

• Get the information you need 

• Plant the information you want distributed 
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Find out how to blend in 


Sometimes a necktie gets you more ears than a well 

reasoned argument 

Fashion matters to some users 

• Talk to your significant other, or annoying fashionable 
sibling for pointers 

Suits listen to other suits 

• It's like gang colors 

• If you were running a physical pen test on an organization, 
would you dress the way you do on a normal day at the 
office? 

• Clothing has a surprising way of getting people's attention 





Examine the Target 


Look at how they work 

Find out where they talk 

• And what they talk about 

Get an idea of what is important to them 

• A little personal interest goes a long way 

Use their names in conversation 
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Recon is complete, now what? 
Use what you've learned 
Protective camouflage 
Communicate as they do 








Insert The Data 


1 


• You're no longer 

• The Security Dude(ette) 

• The IT person 

• You've become $yournamehere 

• Human in the eyes of the users 

• Start talking to them 

• About how infosec impacts them 

• What a breach can do to the company 

• What they can do to help fix potential problems 

• How you can make their lives easier and more secure 







Case Study: Prox Card Login 


Clinicians want faster access to records 

Non-technical management wants card based 
system 

Prox card based for various reasons 

• Existing badges can be used 

• No extra item to carry 

• Users already familiar with the technology 

• Prox cards are the cheapest option 

Vendor claims HIPAA compliance 

• Without the need for a PIN at each login 





Case study: Prox Card Login (2) 


The project is sent to the security team 

The cost argument fails 

The policy argument fails 

Infosec speaks to the proposing department 

• Finds that the current login setup is taking away 
from patient care 

• New system allows more direct time with patient 

• System is secure because clinicians always have 
their badges 





Case study: Prox Card Login (3) 


Security explains the risks 

• Commodity hardware allows easy badge cloning 

• Cloned badges expose clinicians to liability 

• HIPAA violations 

• Accusations of billing fraud 

• Fraudulent narcotics prescriptions 

Security offers options 

• Chip and PIN based system 

• Prox card with PIN entry at every login 

The prox card system is implemented more 
securely 





Listen to the Users 


Don't forget to listen 

Learn how they work 

Find out what they need 

Listen to how security "gets in the way" 

Empathize and Explain 

Build your security with the users in mind 
• Help them do their jobs more securely 






Change Your Plans 


• Adapt your security plans 

• Take the complaints and Learn from them 

• Make Security make sense to the user 
• Inconsistent policies = violated policies 

• Loosen restrictions that don't need to be in your 
organization 
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Communication 


« « 


Focus on the audience 
Know their strengths 
Know their limitations 
Shorten your emails 


"If you can't explain it simply, you don't understand 
it well enough" 

-Albert Einstein 
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C-Levef Wants Different Information 
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• Spend X to save y 

• Short points, easily digestible 

• Clear goals and costs 

• Regulatory requirements 
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Norr-Jec hnica l Management. 


How will this impact them 
How will this impact their employees 
What is the impact to the business 
Is this a regulatory requirement 
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Techni cal Man agement 


What is the problem 

How do we solve it 

How else do we solve it 

What is the likelihood of exploitation 






Conclusion 


Communication solves problems 

Understand your users and adapt to allow them to 
work 

Explain limitations 

It won't work with everyone, but it will help 
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Questions? 


o 

black hat' 



James Philput 
james@philput.com 
@jphilput 


O 

black hat 
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